skip to main content
CookiePro Blog August 21, 2019

The Brazil General Data Protection Law (LGPD) vs. the GDPR

It’s been a year since the the Brazilian president sanctioned the Brazilian General Data Protection Law (LGPD) in August 2018. The LGPD carries many similarities with the EU’s General Data Protection Regulation (GDPR), however, it is leaner in comparison. 

The LGPD is set to come into force in August 2020 after its initial 18-month deadline was extended by an additional six months by President Michel Temer. The was uncertainty about the LGPD’s future when the same president vetoed several acts of the bill before its passing, most notably those needed to create Brazil’s data protection authority, the Autoridade Nacional de Proteção de Dados (ANPD).

However, on July 8, 2019, Brazil’s new president, Jair Bolsonaro, promulgated Law No. 13.853/2019 which amends some provisions of the LGPD and provides for the creation of the ANPD. With its data protection authority now a reality, Brazil is moving forward with the enforcement of the LGPD.


Many companies that have gone through the rush for GDPR compliance, but there are notable differences between the GDPR and the LGPD. Here are some of the main differences.

Territorial scope

Both the GDPR and the LGPD have similar territorial scopes: they apply to all companies offering goods or services to data subjects in the EU or Brazil, regardless of where they are located.

However, the GDPR explicitly includes organizations that are not established in the EU, but that monitor the behavior of individuals located in it. The LGPD has no such provision.


Both the GDPR and LGPD qualify consent as freely given, informed and unambiguous indication of the data subjects’ agreement for processing data as a general rule. However, the LGPD uses the adjective “specific” instead of “explicit” (used in the GDPR) as an additional criteria for a valid consent in specific situations: sensitive data and international data transfers.

Both regulations are concerned with empowering data subjects with meaningful control and choice regarding their personal information. For example, the information should be clear, adequate, easily accessible and transparent by which data subjects should be properly informed about the processing of their personal data.

Legal bases for data processing

One of the major differences between the two laws is the legal bases for data processing. The GDPR’s original six include, explicit consent, contractual performance, public task, vital interest, legal obligation and legitimate interest.

The LGPD includes the six and adds an additional four: studies by a research body, exercise of rights in legal proceedings, health protection and credit protection.

Data Subjects’ Access Requests

An individual’s right to data access is guaranteed under both the GDPR and the LGPD. Data subjects can request access to the data a company has collected about them and can request further actions concerning it: its portability, deletion or correction.

The GDPR allows organizations 30 days to answer data subjects’ access requests, while the LGPD only gives them 15 days.

Mandatory Data Breach Notifications

While both laws have made data breach notifications mandatory, their requirements differ slightly.

The GDPR imposes a strict 72 hours in which companies are required to notify Data Protection Authorities (DPAs) of data breaches. On the other hand, organizations falling under the incidence of the LGPD must do so within an undefined “reasonable” time. The LGPD requires companies to also notify data subjects of data breaches, something that is not a requirement under the GDPR.


The GDPR’s notorious fines allow DPAs across Europe to issue fines of up to 4% of a company’s global annual turnover or €20,000,000 (roughly $22,000,000), whichever is higher.

Under the LGPD, organizations face similar penalties: up to 2% of their total revenue in Brazil in the previous year or up to 50,000,000 Brazilian Reals (approximately $13,000,000), whichever is higher. The LGPD also lists possible daily penalties to enforce compliance.

In conclusion

While there are a great number of similarities between the LGPD and the GDPR, there are points such as the legal bases and mandatory data breach notifications on which the LGPD goes further than the European legislation.

Learn more about how CookiePro helps websites comply with the LGPD.

Recent Posts

DeveloperWeek 2020 Deep Dive
DeveloperWeek 2020 Deep Dive
Last week, CookiePro sponsored DeveloperWeek 2020, one of the largest developer conferences in the United States. Learn more about our time...
+ View Article
CookiePro Sponsors Orlando DrupalCamp
CookiePro Sponsors Orlando DrupalCamp
The CookiePro team is heading to Orlando for DrupalCamp! Visit our booth to learn about the different plugins we have available for Drupal...
+ View Article
CookiePro CMS Plugins & Modules
CookiePro CMS Plugins & Modules
CookiePro has plugins that integrate with WordPress and Drupal with additional plugins for Joomla, Magento, and more coming soon. Learn more...
+ View Article
Cross-Site Tracking Deep Dive
Cross-Site Tracking Deep Dive
Cross-Site Tracking is a trending topic lately. Let's dive into what you need to know about cross-site tracking.
+ View Article
popup close button